Vista security flaws investigated

Windows Vista won't be broadly available for another month, but already a cluster of security vulnerabilities has surfaced to dent the armor of what Microsoft describes as its most secure operating system ever.

Microsoft security experts were still investigating the first publicly disclosed Vista vulnerabilities Tuesday. The company said it was not aware of any attacks made on its customers using these flaws.

Other security experts said the vulnerabilities, reported in The New York Times on Christmas Day, were notable for being the first of many swipes at Vista security, but little more.

"We certainly don't think the barn is burning," said Alfred Huger, senior director of security response at Symantec, adding: "Had it been anything else other than Vista, this would have passed into obscurity pretty quickly."

Computer-security company Determina notified Microsoft on Dec. 20 of five vulnerabilities it had identified — four affecting Vista and earlier versions of Windows, and one affecting Microsoft's Exchange e-mail server.

Determina did so after a Russian hacker posted details of one Windows flaw on a hacker Web site last week, meaning that clues about the vulnerability were public, said Nand Mulchandani, vice president of marketing and business development at the Redwood City, Calif., company.

Using that flaw, attackers could send a malicious program as an e-mail attachment that, if opened, could gain "administrator" privileges on the computer. This higher level of access could allow the attacker to change system settings, install programs and "do all kinds of bad things to your computer," Mulchandani said.

Known as a local privilege escalation, this attack cuts at the user-account control features Microsoft has touted among many other security improvements to Vista.

In a blog posting Friday, a Microsoft security expert noted that to successfully exploit the vulnerability, the attacker would already need to have "authenticated access to the target system," such as a password.

Another vulnerability Determina found — this one in Microsoft's latest Web browser, Internet Explorer 7 — could allow attackers to craft Web pages that would run malicious code on computers that visit them, Mulchandani said.

New security features in Vista and IE7 keep the browser "in a sandbox" — effectively separated from the rest of the computer, so that malicious code from the Web would be confined to the browser.

Mulchandani said the fear is hackers are working to link the privilege escalation attack with the IE7 vulnerability, which would let attackers "completely circumvent the sandboxing that's been included in Vista" and gain access to the entire computer.

Minoo Hamilton, senior security researcher at network security provider nCircle, said this could indicate hackers face additional complexity in attacking Windows Vista vulnerabilities, or "exploits."

"You have to get a browser or e-mail exploit and you have to combine it with a local privilege escalation," he said.

Microsoft is keeping outside security researchers updated on its investigation, but, as is common in the security industry, has not released many details publicly, including its assessment of the potential severity of the vulnerabilities.

"The criminal can take any little nugget and try to extrapolate from that ... how to attack the software," said Stephen Toulouse, senior product manager in Microsoft's security group.

If the company confirms the vulnerabilities and determines they pose a risk, it will take action, such as issuing a software update or patch to correct the problem, he said.

Security experts expect to see more Vista vulnerabilities. "It's the first of many to come," said Symantec's Huger.

Toulouse said Microsoft knows Vista is not bulletproof, and while the company is always disappointed when vulnerabilities are identified, it was not surprised to see flaws in Vista noted so soon.

"It's not entirely unexpected if you think about how many people actually have been looking at Windows Vista," he said.

The company distributed more than 3,000 copies to security experts at a conference last summer, and millions of people have participated in testing of the software.

Microsoft plans to highlight the multitudes who had a hand in Vista and Office, its other flagship product, during an event marking broad availability of the software Monday, Jan. 29, in New York's Times Square.

"Millions of people — Microsoft employees, developers, valued customers, bloggers, families, media, the entire industry — have come together like never before and added their own individual imprints to help make Windows Vista and 2007 Microsoft Office system the most tested products in Microsoft history," said an invitation the company sent out to media late Friday.

Microsoft also launched Vista and Office 2007 for businesses in Times Square on Nov. 30. But the broad consumer launch, coming a few weeks after Chairman Bill Gates gives his annual speech at the huge Consumer Electronics Show in Las Vegas, looks to be more lavish.

Benjamin J. Romano: 206-464-2149 or bromano@seattletimes.com